In Google Search, Japanese security researcher Masato Kinugawa found what seemed to be XSS vulnerability. Such a safety hole could represent a serious risk and it could be extremely helpful in phishing and other forms of attacks for malicious actors. The XSS vulnerability was introduced by using a library called Closure and its failure to properly sanitize user input, according to an analysis carried out in LiveOverflow.
— Masato Kinugawa (@kinugawamasato) 31 March 2019
The technology giant has created and still uses the library open source for many of its applications, including search, maps and docs. Apparently on 26 September 2018, the vulnerability was introduced when somebody reportedly removed sanitation because of certain user interface problems. It was discussed in September 2018 on 22 February 2019 when the change took place.
Soon after Google learned of its existence, it is said that it patches the vulnerability. Developers ‘ comments on the rollback confirmed that the HTML sanitizer issue was related and that the Google Web Server (GWS) software has a XSS flaw.
While analyzing the flaw, LiveOverflow stated that the security bug probably had a bearing upon other Google products using the Closure library. It is unclear whether Google has given this vulnerability a bug bounty.